CVE-2024-55879

Dec. 13, 2024, 3:15 p.m.

9.1
Critical

Description

XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading.

Product(s) Impacted

Product Versions
XWiki Platform
  • ['2.3', 'before 15.10.9', 'before 16.3.0']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr
https://jira.xwiki.org/browse/XWIKI-21207
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398

Tags

security-advisories@github.com
CWE-862
2024-12-12
CVE-2024-55879

CVSS Score

9.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: HIGH
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: Dec. 12, 2024, 8:15 p.m.
Last Modified: Dec. 13, 2024, 3:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.